From owner-freebsd-security@FreeBSD.ORG Thu May 8 04:39:21 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E815F37B401 for ; Thu, 8 May 2003 04:39:20 -0700 (PDT) Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by mx1.FreeBSD.org (Postfix) with SMTP id EDC4043FE0 for ; Thu, 8 May 2003 04:39:19 -0700 (PDT) (envelope-from greg.panula@dolaninformation.com) Received: (qmail 1367 invoked by uid 0); 8 May 2003 11:39:19 -0000 Received: from greg.panula@dolaninformation.com by proxy by uid 82 with qmail-scanner-1.15 ( Clear:. Processed in 1.234187 secs); 08 May 2003 11:39:19 -0000 X-Qmail-Scanner-Mail-From: greg.panula@dolaninformation.com via proxy X-Qmail-Scanner-Rcpt-To: metrol@metrol.net,freebsd-security@FreeBSD.org X-Qmail-Scanner: 1.15 (Clear:. Processed in 1.234187 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by host185.dolanmedia.com with SMTP; 8 May 2003 11:39:17 -0000 Received: from dolaninformation.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167); 8 May 2003 06:39:15 -0500 Sender: pang@FreeBSD.ORG Message-ID: <3EBA41E3.46C0AEA8@dolaninformation.com> Date: Thu, 08 May 2003 06:39:15 -0500 From: Greg Panula Organization: Dolan Information Center Inc X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Michael Collette References: <200305071921.33596.metrol@metrol.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: FreeBSD Security Subject: Re: VPN through BSD for Win2k, totally baffled X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: greg.panula@dolaninformation.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 May 2003 11:39:21 -0000 Michael Collette wrote: > > Scenario: > FreeBSD box running IPFW acting as a gateway to private network. The private > network is made up of entirely routeable IP addresses. External users > running Win2k and XP on DSL connections with dynamic IPs. > > Goal: > To have the FreeBSD gateway securely authenticate and encrypt the traffic > between the outside users and the internal network. > > I've spent the last 3 days running up and down Google and reading any books > that approach the subject of setting up a VPN. The further down this road > I've travelled the more confused I am. > > I assume the following: > * Need to have a certificate setup with OpenSSL. > * Racoon needs to deal with a key exchange. > * Some kind of tunneling gets put into play. > * Setkey needs appropriate policies. > > I happened across the Google cache of a tutorial that seems to cover this > subject. There seems to be a couple of key points missing, as well as some > apparently out of date syntax. I did manage to create a CA and client cert > from a mix of this tutorial and the AbsoluteBSD book. > > http://216.239.37.104/search?q=cache:mFG0kB-ghLoC:www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO-2.html+FreeBSD-WIN2K-IPSEC-HOWTO-2.html&hl=en&lr=lang_en&ie=UTF-8 > > Managed to get a certificate generated from that process installed on a test > XP box per the following... > > http://216.239.33.104/search?q=cache:FFxjH0VQGD0C:www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO-4.html+FreeBSD-WIN2K-IPSEC-HOWTO-4.html&hl=en&lr=lang_en&ie=UTF-8 > > Where I totally lost it was on the FreeBSD setup. The author is referring to > certificates that he never described how they should be created. I didn't > know what in the heck to do here. > > http://216.239.33.104/search?q=cache:oNMJe4EHOu4C:www.sigsegv.cx/FreeBSD-WIN2K-IPSEC-HOWTO-3.html+FreeBSD-WIN2K-IPSEC-HOWTO-3.html&hl=en&lr=lang_en&ie=UTF-8 > > Am I even on the right path? Aside from this one tutorial I've been through > several others, as well as looking at a variety of IPSec related pages. > There's obviously a number of different approaches out there to take, but I'm > simply looking for one that works. Just to know that I'm heading in the > correct direction or not would be an incredible help. > Handy links, thanks. Haven't done certs+ipsec, yet... only pre-shared secrets It looks like you are on the right path. The first link walks one thru creating the needed certs; CA aka Certificate Authority(_the_ source for all certs), cert for the gateway(vpn server) and cert for the user. Second link walks one thru importing two Certs into the windows box; CA and user cert. Third link where you get lost talks about where to put the gateway & CA cert. The gateway certificate is the one you created under section 2.4 on the first link. Look at the last two openssl lines in section 2.4 on that first link. It is creating a certificate for the vpn server(server-signed.pem) signed by the CA you created and the last line outputs a decrypted private key(server-key.pem) for racoon to use with the signed certificate. Hope that helps, greg